.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Threat hunt uncovers AI-lured crypto wallet theft
Organization: MSP industry, 25 employees, Ohio, US
Solution: Sophos MDR
Adversary behavior
The threat actor poisons ChatGPT results with a malicious link designed to intercept a common cryptocurrency workflow: connecting a hardware wallet through a browser-based wallet. Tools like Trezor and MetaMask are deliberately targeted because they are widely used together, with users relying on step-by-step online instructions to access to their crypto wallets. By embedding a bad link into AI-assisted responses, the attacker inserts themselves directly into this setup. A user working from a personal device in a BYOD environment follows the AI-surfaced link and completes what appears to be a legitimate authentication step—unknowingly providing wallet credentials and verification details to the attacker. With that access, the attacker unfortunately steals cryptocurrency.
Threat hunting
When malicious activity takes place outside traditional detection boundaries (i.e., personal browsers, legitimate cloud-hosted services, etc.), there's no malware, no blocked connection, and no clear security alert to track. When customers need clarity, Sophos Threat Hunters examine historical endpoint and integrated telemetry to uncover suspicious patterns that blend into everyday activity. Guided by human expertise and supported by AI analysis, the team reconstructs what happened, confirms malicious activity, and explains the full attack path.
Investigation
Sophos MDR conducts a threat hunt focused on historical activity on the employee’s device. Sophos analysts confirm a legitimate MetaMask browser extension, validating that the wallet software itself is not malicious. Browser history reveals the full attack path beginning with AI-assisted searching, interaction with a spoofed page to capture credentials, a verification capture flow, and subsequent theft. By correlating timestamps and browser activity, Sophos MDR confirms the attacker inserted themselves into a trusted crypto setup process, with no evidence of broader compromise or lateral impact. This investigation answers the key questions left in the aftermath of the incident—how access was obtained, what was affected, and what was not.
Response
Sophos MDR focuses on preventing any further misuse of compromised crypto accounts. The team advises resetting all credentials and multi-factor authentication associated with the affected wallets and terminating any active sessions, ensuring the attacker cannot regain access. Because this attack exploits trust in AI-generated content, Sophos MDR encourages the customer to treat AI responses like any other unverified source and inform their security awareness training programs.